kritis-validation-hook is a key component for verifying image signatures. You can use signature verification to ensure that only images signed by trusted authorities are deployed. This reduces the risks of malicious code execution. This topic provides examples about how kritis-validation-hook is used to verify signatures.
Based on the open-source project kritis, kritis-validation-hook is integrated with Alibaba Cloud Container Registry (ACR) to support signature verification for images that are signed by Key Management Service (KMS). kritis-validation-hook is integrated with Security Center, KMS, and ACR to implement fully automated image signing and signature verification. This allows you to build a secure environment for clusters. For more information about how to enable signature verification for container images, see Use kritis-validation-hook to automatically verify the signatures of container images.
- The address of the image signed by KMS is kritis-demo-registry.cn-hangzhou.cr.aliyuncs.com/kritis-demo/alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45.
- The public key of the KMS key is stored in the publickey.txt file
- The ID of the KMS key is 4a2ef103-5aa3-4220-89ee-kms-key-id.
- Create an AttestationAuthority object to declare a trusted authority.
The preceding public key is used in the following code block:
$ cat <<EOF > AttestationAuthority.yaml apiVersion: kritis.grafeas.io/v1beta1 kind: AttestationAuthority metadata: name: demo-aa spec: noteReference: namespaces/demo-aa publicKeyData: $(cat publickey.txt | base64 | tr -d '\n') publicKeyId: 4a2ef103-5aa3-4220-89ee-kms-key-id EOF $ kubectl apply -f AttestationAuthority.yaml
- Create a GenericAttestationPolicy object to declare the attestation policy and specify the trusted authority for signature
$ cat <<EOF > GenericAttestationPolicy.yaml apiVersion: kritis.grafeas.io/v1beta1 kind: GenericAttestationPolicy metadata: name: demo-gap spec: attestationAuthorityNames: - demo-aa EOF $ kubectl apply -f GenericAttestationPolicy.yaml
- Verify that images are not allowed to be deployed if they are not signed by the trusted
$ kubectl create deployment test-denied --image=alpine:3.11 Error from server: admission webhook "kritis-validation-hook-deployments.grafeas.io" denied the request: image alpine:3.11 is not attested $ kubectl create deployment test-denied --image=kritis-demo-registry.cn-hangzhou.cr.aliyuncs.com/kritis-demo/alpine:3.11 Error from server: admission webhook "kritis-validation-hook-deployments.grafeas.io" denied the request: image kritis-demo-registry.cn-hangzhou.cr.aliyuncs.com/kritis-demo/alpine:3.11 is not attested
- Verify that images are allowed to be deployed if they are signed by the trusted authority.
$ kubectl create deployment test-allow --image=kritis-demo-registry.cn-hangzhou.cr.aliyuncs.com/kritis-demo/alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 deployment.apps/test-allow created
- Immutable image tags. With immutable image tags, you can specify tags instead of image digests when you verify image signatures. This improves user experience
- Image vulnerability detection. With image vulnerability detection, you can deny requests for deploying images that contain vulnerabilities of specified levels. This reinforces the security of your environment.